The document describes an upcoming security conference titled "First Improvised Security Testing Conference" to be held on August 8th, 2003 in Madrid. It then provides details about a talk to be given by speaker Vicente Aceituno titled "Advanced Google Searching: Google as a hacking tool". The talk will cover various advanced search techniques using Google to find vulnerable servers, files, and other useful information for security testing purposes. These techniques include directory listings, common default pages, language translations, and the potential use of autonomous "robots" to identify targets.
First Improvised Security Conference Google Search
1. First Improvised Security Testing Conference
Madrid, 8th August 2003
Advanced Google
Sear ching
Google as a hacking tool
Author: Johnny Long
johnny@ihackstuff.com
http://johnny.ihackstuff.com
Speaker: Vicente Aceituno
2. Why Google?
Google caches all crawled web pages
Google provides instant response
Google provides document translations
Google provides language translation
Google provides web, news, catalog and
ftp searches
Google is cool
3. Index
Google Searching
Default Web pages
Directory listings
Finding files
Googlescan tools
Rise of the Robots
Prevention
4. Google Searching
Google provides a great deal of
information about using it’s search
engine in it’s fullest capacity.
The following tables are copied verbatim
from Google’s usage documents
5. Basic Searching
Special Query
Example Query Description
Capability
If a common word is essential to getting the results you
Include Query Star Wars Episode want, you can include it by putting a "+" sign in
Term +I front of it.
You can exclude a word from your search by putting a
Exclude Query
bass -music minus sign ("-") immediately in front of the term you
Term
want to exclude from the search results.
Search for complete phrases by enclosing them in
quotation marks or connecting them with hyphens.
Words marked in this way will appear together in
Phrase Search "yellow pages"
all results exactly as entered.
Note: You may need to use a "+" to force inclusion of
common words in a phrase.
Google search supports the Boolean "OR" operator. To
Boolean OR vacation london OR
retrieve pages that include either word A or word
Search paris
B, use an uppercase OR between terms.
6. Filtering/Exclusion
The query prefix "filetype:" filters the results
returned to include only documents with
the extension specified immediately
after. Note there can be no space
Google filetype:doc OR
File Type Filtering between "filetype:" and the specified
filetype:pdf
extension.
Note: Multiple file types can be included in a
filtered search by adding more
"filetype:" terms to the search query.
The query prefix "-filetype:" filters the results
to exclude documents with the
extension specified immediately after.
Google -filetype:doc - Note there can be no space between "-
File Type Exclusion
filetype:pdf filetype:" and the specified extension.
Note: Multiple file types can be excluded in
a filtered search by adding more "-
filetype:" terms to the search query.
7. Filtering site/date
If you know the specific web site you want to
search but aren’t sure where the information
is located within that site, you can use Google
to search only within a specific web site.
Do this by entering your query followed by the
Site Restricted
admission site:www.stanford.edu string “site:” followed by the host name.
Search
Note: The exclusion operator (“-“) can be applied
to this query term to remove a web site from
consideration in the search.
Note: Only one site: term per query is
supported.
If you want to limit your results to documents that
were published within a specific date range,
then you can use the “daterange: “ query term
to accomplish this. The “daterange:” query
term must be in the following format:
daterange:<start_date>-<end date> where
Date Restricted Star Wars daterange:2452122- <start_date> = Julian date indicating the start of
Search 2452234 the date range
<end_date> = Julian date indicating the end
of the date range
The Julian date is calculated by the number of
days since January 1, 4713 BC. For example,
the Julian date for August 1, 2001 is
2452122.
8. Title searching
If you prepend "intitle:" to a query term,
Google search restricts the results to
documents containing that word in the
title. Note there can be no space between
Title Search (term) intitle:Google search
the "intitle:" and the following word.
Note: Putting "intitle:" in front of every word
in your query is equivalent to putting
"allintitle:" at the front of your query.
Starting a query with the term "allintitle:"
Title Search (all) allintitle: Google search restricts the results to those with all of the
query words in the title.
9. URL Searches
If you prepend "inurl:" to a query term, Google
search restricts the results to documents
containing that word in the result URL. Note
there can be no space between the "inurl:" and
the following word.
Note: "inurl:" works only on words , not URL
components. In particular, it ignores
URL Search (term) inurl:Google search
punctuation and uses only the first word
following the "inurl:" operator. To find multiple
words in a result URL, use the "inurl:" operator
for each word.
Note: Putting "inurl:" in front of every word in your
query is equivalent to putting "allinurl:" at the
front of your query.
Starting a query with the term "allinurl:" restricts the
results to those with all of the query words in
the result URL.
Note: "allinurl:" works only on words, not URL
components. In particular, it ignores
punctuation. Thus, "allinurl: foo/bar" restricts
URL Search (all) allinurl: Google search
the results to pages with the words "foo" and
"bar" in the URL, but does not require that they
be separated by a slash within that URL, that
they be adjacent, or that they be in that
particular word order. There is currently no way
to enforce these constraints.
10. Text/Link Searching
Starting a query with the term “allintext:”
allintext: Google restricts the results to those with all of
Text Only Search (all)
search the query words in only the body text,
ignoring link, URL, and title matches.
Starting a query with the term “allinlinks:”
allinlinks: Google restricts the results to those with all of
Links Only Search (all)
search the query words in the URL links on the
page.
11. Link Searches
The query prefix "link:" lists web pages that
have links to the specified web page.
Note there can be no space between
Back Links link:www.google.com
"link:" and the web page URL.
Note: No other query terms can be specified
when using this special query term.
The query prefix "related:" lists web pages
that are similar to the specified web
related:www.google.co page. Note there can be no space
Related Links
m between "link:" and the web page URL.
Note: No other query terms can be specified
when using this special query term.
13. Tricks
When www.google.com is not available, try
www2.google.com or www3.google.com.
Reading the google’s cache can prevent filters
to know what page are you seeing.
You can get the same result we trick an
english-to-english translation.
http://translate.google.com/translate (main URL)
?u=http://www.defcon.org&langpair=en|en (options)
19. Apache 1.2.6
Intitle:”Test Page
for Apache” “It
Worked!”
20. Apache 1.3.0 – 1.3.9
Intitle:”Test Page
for Apache” “It
worked!” “this web
site!”
21. Apache 1.3.11 - 1.3.26
"seeing this
instead"
intitle:"Test Page
for Apache"
22. Apache 2.0
Intitle:”Simple page
for Apache”
“Apache Hook
Functions”
23. Apache Version Info
Apache Number of
Version Servers
1.3.6 119,000.00
1.3.3 151,000.00
1.3.14 159,000.00
1.3.24 171,000.00
Google told
1.3.9 203,000.00 us all this.
2.0.39 256,000.00 We’ll discuss
1.3.23 259,000.00
how in the
next section.
1.3.19 260,000.00
1.3.12 300,000.00
1.3.20 353,000.00
1.3.22 495,000.00
1.3.26 896,000.00
25. Directory Listings
Directory listings are often misconfigurations in
the web server.
A directory listing shows a list of files in a
directory as opposed to presenting a web
page.
Directory listings can provide very useful
information.
26. Directory Example
Intitle:”Index of”
This query serves
as the basis for all
directory
searches…
41. Googlescan
With a known set of file-based web
vulnerabilities, a vulnerability scanner
based on search engines is certainly a
reality.
42. Googlescan
…
/scancfg.cgi
/cgi-bin/CrazyWWWBoard.cgi Armed with a list
/cgi-bin/pals-cgi of cgi exploits
/ROADS/cgi-bin/search.pl from any
/way-board/way-board.cgi common CGI
/cgi-bin/replicator/webpage.cgi scanner…
/cgi-bin/auktion.pl
/cgi-bin/webspirs.cgi
/cgi-bin/ipf/etc/gfw/ui/pwd.dat
/cgi-bin/hsx.cgi
/cgi-bin/mailnews.cgi
/cgi-bin/adcycle
/cgi-bin/post-query
/cgi-bin/ikonboard/help.cgi
/cgi-bin/webspirs.cgi
…
49. Rise of the Robots
Michal Zalewski wrote a great article for
Phrack (57/10) which presented the idea
of the use of autonomous search robots
in server exploitation
50. Rise of the Robots
“Consider a remote exploit that is able to
compromise a remote system without
sending any attack code to his victim.
Consider an exploit which simply creates
local file to compromise thousands of
computers, and which does not involve any
local resources in the attack. Welcome to
the world of zero-effort exploit techniques.
Welcome to the world of automation,
welcome to the world of anonymous,
dramatically difficult to stop attacks
resulting from increasing Internet
complexity.” –Michal Zalewski
51. The Concept
Web robots crawl a web page indexing files it is
allowed to find.
Any links that are found on the indexed pages
are followed as well.
Instead of standard web links, create a payload
of “exploit” links for the crawlers to consume.
52. Simple Example
Michal presents the following example links on his
indexed web page:
http://somehost/cgi-bin/script.pl?p1=../../../../attack
http://somehost/cgi-bin/script.pl?p1=;attack
http://somehost/cgi-bin/script.pl?p1=|attack
http://somehost/cgi-bin/script.pl?p1=`attack`
http://somehost/cgi-bin/script.pl?p1=$(attack)
http://somehost:54321/attack?`id`
http://somehost/AAAAAAAAAAAAAAAAAAAAA...
53. Simple Example
The robots followed all the links as
written, including connecting to non-http
ports.
The robots followed the “attack links,”
performing the attack completely
unaware.
54. Think Big
Michael goes on to postulate that randomly
generated, massive lists would cause much
more of a problem.
A simple PERL or CGI script randomly
generating attack links in the thousands and
teens of thousands would create a huge
problem!
Who would be liable?
55. Google doesn’t stop
Tomorrow there will be even more sofisticated
features…try this:
http://labs1.google.com/cgi-bin/gviewer.cgi?q=
intitle%3Aindex.of.private&delay=8&start=0
http://labs.google.com/sets?hl=en&q1=password&
passwd&q3=shadow&q4=etc&q5=&btn
=Large+Set
57. Advice
Google says it isn’t Google’s fault.
Google is very happy to remove
references. See
http://www.google.com/remove.html.
Follow the webmaster’s advice found at
http://www.google.com/webmasters/
Get smarter.
58. /misc: “Google Hacks”
There is this book.
And it’s an O’REILLY book.
But it’s not about hacking.
It’s about searching.
59. Google Hotspots
Google APIs:
http://www.google.com/apis/
Google voice search: http://labs.google
.com/gvs.html
Google sets: http://labs.google.com/sets
Google catalog search: http://catalogs.
google.com/
Google news search: http://news.google
.com
Google weblog: http://google.blogspace
.com/